With a growing adoption of SaaS apps to support business processes, it is key to ensure secure handling of data to protect your most valuable corporate assets. With Microsoft Cloud App Security, we are enabling customers to gain insight into and better control of their eco-system of SaaS apps, of and beyond native Microsoft applications.

Today we want to share details around:

Two new detection capabilities that we are beginning to roll out – Ransomware activity and Terminated-user activity

The Public Preview of custom activities for deeper visibility and control of user actions via Conditional Access App Control

Enhancing Threat Protection Capabilities

Earlier this year, we announced new threat detection capabilities in Cloud App Security, that included multiple new use-case driven detections, as well as a user-centric investigation experience.

Detecting Ransomware activity

Ransomware attacks remain a common attack vector that both nation-state attackers and financial cybercriminals are leveraging. Recent examples include NotPetya and BadRabbit – both large-scale, nation-state led campaigns, targeting enterprises.

To detect ransomware attacks, we apply our security research expertise in Cloud App Security to identify behavioral patterns that reflect ransomware activity. For example, a high rate of file uploads or file deletion activities can represent an adverse encryption process. This data is collected iin the logs that we receive from the apps’ API, we then combine these behavioral patterns with Threat Intelligence capabilities, such as the detection of known Ransomware extensions. This interplay ensures that the detection is holistic and robust and will result in relevant alerts within the Cloud App Security alerts dashboard.

Figure 1. Ransomware activity alert – details view

Terminated-user activity

When looking at what can turn a former employee into an “insider threat” we often see that employees who left their company on bad terms pose the greatest risk. We’re seeing that as employees exit a company and their user accounts are de-provisioned from corporate apps as a result, in many cases they still retain access to some corporate resources. This becomes even more important when considering privileged accounts, as the potential damage a former admin can do is distinctly greater.

With the new detection capabilities we’re introducing today, Cloud App Security (CAS) will be able to identify when a terminated employee continues to perform actions on your SaaS apps. This detection is possible due to CAS’s ability to monitor user behavior across apps, while user accounts are active. This allows us to profile the regular activity of the user, identify when the account is terminated, and determine activity on other apps beyond the suspension of credentials. For example, if an employee AAD account was terminated, but he or she continues to access the corporate AWS infrastructure, an alert will be triggered.

Public Preview: Define custom activities for deeper visibility and control of user actions via Conditional Access App Control

In November 2017, we announced the public preview of Conditional Access App Control, a feature that works hand-in-hand with Azure Active Directory conditional access, to provide real-time visibility and control of risky user sessions – for example, sessions with external users or users coming from an unmanaged device.

Today, we are excited to share the public preview of new and enhanced capabilities of this feature that facilitate deeper visibility into, and control of various applications. You can now create a Session Policy with an Activity type filter, to monitor and/or block a variety of granular, app-specific activities, such as those shown below. This new filter augments the existing file download control features, to provide you with comprehensive control of the applications in your organization.

Figure 2. Session Policy with various Activity types

When these policies are applied, and end-users come from a risky session, they will be monitored and/or blocked from performing the actions you have selected.

Figure 3. Block notification screen of a user when trying to perform a regulated activity

Marrying these new app-specific actions with the powerful download controls already available provides you with the deep level of control needed to keep your organization secure.

If you have Microsoft Cloud App Security deployed, you will soon start seeing these features in your tenant. If not, you can try Microsoft Cloud App Security for 90-days with no additional cost and see how this service helps you with providing visibility, data control and threat protection to your cloud apps.

Recent Posts from EMS Leaders

Everyone (and I mean everyone) on the Microsoft 365 team has been pursuing some very ambitious goals in the ten months since we launched Microsoft 365. Those goals have all been laser focused on one key thing: Helping our customers effectively navigate their own unique path towards the digital transformation that they need to succeed...

Howdy folks, Today I’m happy to announce the public preview of the PingFederate configuration integration in the latest release of AADConnect. With this release customers can easily and reliably configure their Azure Active Directory environment to use PingFederate as their federation provider, and we’re excited to offer a more seamless integration experience to our customers....

If you ever got to shadow a Microsoft leader for a day and listen in on the meetings they attend, I think you’d be surprised by how much time is spent talking about how to support the day-to-day work done by IT Pros. We think about this constantly. A lot of answers to these questions...

On Wednesday we announced that the Microsoft Intune APIs being surfaced through Microsoft Graph have been moved from “preview” to Generally Available. We are really excited about this milestone, and we look forward to learning how to make it even better as you give us feedback and direction on the way you want to use...

Last week at Microsoft Ignite, more than 25,000 IT professionals converged in Orlando Florida to learn about Microsoft’s technology advancements, skill up across new products, and meet with Microsoft experts. For EMS we unveiled a wave of new capabilities, presented more than 45 sessions, and met with thousands of customers. I wanted to take a...